diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 53eb0b82..6e6c87db 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -1,5 +1,6 @@ name: "CLA Assistant" on: + # issue_comment triggers this action on each comment on issues and pull requests issue_comment: types: [created] pull_request_target: @@ -9,10 +10,16 @@ jobs: CLAssistant: runs-on: ubuntu-latest steps: + - uses: actions-ecosystem/action-regex-match@v2 + id: sign-or-recheck + with: + text: ${{ github.event.comment.body }} + regex: '\s*(I have read the CLA Document and I hereby sign the CLA)|(recheckcla)\s*' + - name: "CLA Assistant" - if: (github.event.comment.body == 'recheckcla' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' + if: ${{ steps.sign-or-recheck.outputs.match != '' || github.event_name == 'pull_request_target' }} # Alpha Release - uses: cla-assistant/github-action@v2.0.1-alpha + uses: cla-assistant/github-action@v2.1.1-beta env: # Generated and maintained by github GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -20,7 +27,7 @@ jobs: PERSONAL_ACCESS_TOKEN : ${{ secrets.CLA_SIGN_TOKEN }} with: path-to-signatures: 'signed_clas.json' - path-to-cla-document: 'https://jfrog.com/cla/' + path-to-document: 'https://jfrog.com/cla/' remote-organization-name: 'jfrog' remote-repository-name: 'jfrog-signed-clas' # branch should not be protected diff --git a/README.md b/README.md index f767db00..c2c17673 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,299 @@ To use this provider in your Terraform module, follow the documentation [here](h [Xray API Documentation](https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API) +## Quick Start + +Create a new Terraform file with `xray` resource (and `artifactory` resource as well): + +
HCL Example + +```terraform +# Required for Terraform 0.13 and up (https://www.terraform.io/upgrade-guides/0-13.html) +terraform { + required_providers { + artifactory = { + source = "registry.terraform.io/jfrog/artifactory" + version = "2.6.24" + } + xray = { + source = "registry.terraform.io/jfrog/xray" + version = "0.0.1" + } + } +} +provider "artifactory" { + // supply ARTIFACTORY_USERNAME, ARTIFACTORY_PASSWORD and ARTIFACTORY_URL as env vars +} + +provider "xray" { +// Also user can supply the following env vars: +// JFROG_URL or XRAY_URL +// XRAY_ACCESS_TOKEN or JFROG_ACCESS_TOKEN +} + +resource "random_id" "randid" { + byte_length = 2 +} + +resource "artifactory_user" "user1" { + name = "user1" + email = "test-user1@artifactory-terraform.com" + groups = ["readers"] + password = "Passw0rd!" +} + +resource "artifactory_local_docker_v2_repository" "docker-local" { + key = "docker-local" + description = "hello docker-local" + tag_retention = 3 + max_unique_tags = 5 + xray_index = true # must be set to true to be able to assign the watch to the repo +} + +resource "artifactory_local_gradle_repository" "local-gradle-repo" { + key = "local-gradle-repo-basic" + checksum_policy_type = "client-checksums" + snapshot_version_behavior = "unique" + max_unique_snapshots = 10 + handle_releases = true + handle_snapshots = true + suppress_pom_consistency_checks = true + xray_index = true # must be set to true to be able to assign the watch to the repo +} + +resource "xray_security_policy" "security1" { + name = "test-security-policy-severity-${random_id.randid.dec}" + description = "Security policy description" + type = "security" + + rule { + name = "rule-name-severity" + priority = 1 + + criteria { + min_severity = "High" + } + + actions { + webhooks = [] + mails = ["test@email.com"] + block_release_bundle_distribution = true + fail_build = true + notify_watch_recipients = true + notify_deployer = true + create_ticket_enabled = false // set to true only if Jira integration is enabled + build_failure_grace_period_in_days = 5 // use only if fail_build is enabled + + block_download { + unscanned = true + active = true + } + } + } +} + +resource "xray_security_policy" "security2" { + name = "test-security-policy-cvss-${random_id.randid.dec}" + description = "Security policy description" + type = "security" + + rule { + name = "rule-name-cvss" + priority = 1 + + criteria { + + cvss_range { + from = 1.5 + to = 5.3 + } + } + + actions { + webhooks = [] + mails = ["test@email.com"] + block_release_bundle_distribution = true + fail_build = true + notify_watch_recipients = true + notify_deployer = true + create_ticket_enabled = false // set to true only if Jira integration is enabled + build_failure_grace_period_in_days = 5 // use only if fail_build is enabled + + block_download { + unscanned = true + active = true + } + } + } +} + +resource "xray_license_policy" "license1" { + name = "test-license-policy-allowed-${random_id.randid.dec}" + description = "License policy, allow certain licenses" + type = "license" + + rule { + name = "License_rule" + priority = 1 + + criteria { + allowed_licenses = ["Apache-1.0", "Apache-2.0"] + allow_unknown = false + multi_license_permissive = true + } + + actions { + webhooks = [] + mails = ["test@email.com"] + block_release_bundle_distribution = false + fail_build = true + notify_watch_recipients = true + notify_deployer = true + create_ticket_enabled = false // set to true only if Jira integration is enabled + custom_severity = "High" + build_failure_grace_period_in_days = 5 // use only if fail_build is enabled + + block_download { + unscanned = true + active = true + } + } + } +} + +resource "xray_license_policy" "license2" { + name = "test-license-policy-banned-${random_id.randid.dec}" + description = "License policy, block certain licenses" + type = "license" + + rule { + name = "License_rule" + priority = 1 + + criteria { + banned_licenses = ["Apache-1.1", "APAFML"] + allow_unknown = false + multi_license_permissive = false + } + + actions { + webhooks = [] + mails = ["test@email.com"] + block_release_bundle_distribution = false + fail_build = true + notify_watch_recipients = true + notify_deployer = true + create_ticket_enabled = false // set to true only if Jira integration is enabled + custom_severity = "Medium" + build_failure_grace_period_in_days = 5 // use only if fail_build is enabled + + block_download { + unscanned = true + active = true + } + } + } +} + +resource "xray_watch" "all-repos" { + name = "all-repos-watch-${random_id.randid.dec}" + description = "Watch for all repositories, matching the filter" + active = true + + watch_resource { + type = "all-repos" + + filter { + type = "regex" + value = ".*" + } + } + + assigned_policy { + name = xray_security_policy.security1.name + type = "security" + } + + assigned_policy { + name = xray_license_policy.license1.name + type = "license" + } + watch_recipients = ["test@email.com", "test1@email.com"] +} + +resource "xray_watch" "repository" { + name = "repository-watch-${random_id.randid.dec}" + description = "Watch a single repo or a list of repositories" + active = true + + watch_resource { + type = "repository" + bin_mgr_id = "default" + name = artifactory_local_docker_v2_repository.docker-local.key + + filter { + type = "regex" + value = ".*" + } + } + + watch_resource { + type = "repository" + bin_mgr_id = "default" + name = artifactory_local_gradle_repository.local-gradle-repo.key + + filter { + type = "package-type" + value = "Docker" + } + } + + assigned_policy { + name = xray_security_policy.security1.name + type = "security" + } + + assigned_policy { + name = xray_license_policy.license1.name + type = "license" + } + + watch_recipients = ["test@email.com", "test1@email.com"] +} + +resource "xray_watch" "build" { + name = "build-watch-${random_id.randid.dec}" + description = "Watch a single build or a list of builds" + active = true + + watch_resource { + type = "build" + bin_mgr_id = "default" + name = "your-build-name" + } + + watch_resource { + type = "build" + bin_mgr_id = "default" + name = "your-other-build-name" + } + + assigned_policy { + name = xray_security_policy.security1.name + type = "security" + } + assigned_policy { + name = xray_license_policy.license1.name + type = "license" + } + + watch_recipients = ["test@email.com", "test1@email.com"] +} +``` + + +
+ ## Release notes for v0.0.1 Xray provider was separated from Artifactory provider. The most notable differences in the new Xray provider: @@ -101,8 +394,6 @@ entitled to contribute the code/documentation/translation to the project and is willing to have it used in distributions and derivative works (or is willing to transfer ownership). -[Sign the CLA](https://cla-assistant.io/jfrog/terraform-provider-xray) - ## License Copyright (c) 2021 JFrog. diff --git a/pkg/xray/provider.go b/pkg/xray/provider.go index 75eb508e..3f7b0d6d 100644 --- a/pkg/xray/provider.go +++ b/pkg/xray/provider.go @@ -155,7 +155,7 @@ func checkArtifactoryLicense(client *resty.Client) error { } license := License{} - _, err := client.R().SetResult(&license).Get("/artifactory/api/system/licenses/") + _, err := client.R().SetResult(&license).Get("/artifactory/api/system/license/") if err != nil { return err }